Software Development must change

I am glad to see that many IT industry analyst are now writing about the increase security vulnerabilites and hacks occuring at the application level.  However, it appears that security professional are a more then a few steps behind the hackers.  This is probably because almost all security defences are still at the network layer and too many people believe that security is not part of a developer job or QA is the same as security testing.

We write applications based upon the Architectural design and specs that were created for an application, however, regardless of how diligent we try to be we will always make mistakes and the final application will have bugs and the application will never be 100 percent perfect as per the specs.  Today's line of business applications are much more complex then they ever were before.  This complexity, thus, results in more lines of code, interoperability between different system and a greater need for distributed applications which will lead to more bugs, some of which will be security related.  This is where the biggest problem lies.  People accept that applications will have bugs and they will test for them, but security bugs will not found by doing standard QA and acceptance testing.

We test the application to ensure the application meets the requirements defined by business as per the specs we were given as developers.  This is really Quality Assurance testing and acceptance testing but it is NOT security testing.  Rather, security testing should take into account that bugs exist in the applications and the goal is then to extend the behaviour of the application.  This is where the biggest differences occur between the testing methodologies.  QA testing only looks at intended behaviour as defined by the spec, where as security testing is to try to extend the behaviour of an application and have it perform unintended operations such as revealing information or calling other functions against the platform the application is residing on.

Therefore, we need to include Security testing frequently throughout the development of the applications.  One of the biggest reasons for this is the cost of rewriting application because of security vulnerabilities increases significantly in each stage of the Software Development Lifecycle.  The cost of fixing an application can be 15 times greater during system/acceptance testing and up to 100 times more when the application is released in the field.

If we continue to rely soley on acceptance testing and not changing our Development process to include proper and frequent security testing then hackers will continue to win the battle.  Hackers do not care if the application meet its intended behaviour, rather hacker want to extend the behaviour of an application so it meets the goal of the hackers and not of the business users.